Failed to verify the manifest signature: The predicted (387) and the actual (384) length differ

tmartensson · February 6, 2026, 10:46am

Hi,
I’m trying to use AWS KMS key to sign the Mender artifact and it seems to work just fine on my build machine but it fails to verify it on the install target:

After succesfully running mender-convert
Extract the tar file:

$ mkdir temp
$ cd temp/
$ tar -xf ../mender-artifact-x86_64.mender

$ ls -l
drwxrwxr-x 1 username username  24 Feb  5 11:52 data
-rw------- 1 username username 379 Feb  5 10:14 header.tar.zst
-rw------- 1 username username 242 Jan  1  1970 manifest
-rw------- 1 username username  31 Jan  1  1970 version

Sign manifest with kms sign:



$ aws kms sign --key-id alias/bogus-key-alias --message fileb://manifest --message-type RAW --signing-algorithm RSASSA_PKCS1_V1_5_SHA_256 --query Signature --output text > manifest.sig

$ ls -l
drwxrwxr-x 1 username username  24 Feb  5 11:52 data
-rw------- 1 username username 379 Feb  5 10:14 header.tar.zst
-rw------- 1 username username 242 Jan  1  1970 manifest
-rw-rw-r-- 1 username username 513 Feb  5 11:53 manifest.sig
-rw------- 1 username username  31 Jan  1  1970 version

base64 decode the manifest to we can verify it:
$ base64 -d manifest.sig > manifest.sig.raw

Verify (the public key saved previously):
$ openssl dgst -sha256 -verify /tmp/bogus-public-key.pem -signature manifest.sig.raw manifest
Verified OK

Create a new tar archive that contains mainfest.sig and validate:

$ tar cf ../mender-artifact-x86_64-x86_64-signed.mender version manifest manifest.sig header.tar.zst data/0000.tar.zst

$ mender-artifact validate ../mender-artifact-x86_64-x86_64-signed.mender -k /tmp/bogus-public-key.pem
Artifact file ‘../mender-artifact-x86_64-x86_64-signed.mender’ validated successfully

So far so good, when I try to install it on my target device it fails:



$ sudo mender-update install ./mender-artifact-x86_64-x86_64-signed.mender
record_id=1 severity=error time=“2026-Feb-06 10:19:27.996135” name=“Global” msg=“Signature verification Error: Failed to verify the manifest signature: The predicted (387) and the actual (384) length differ”
Streaming failed.
System not modified.
Could not fulfill request: Signature verification Error: Failed to verify the manifest signature: The predicted (387) and the actual (384) length differ

I have the same public key used with “mender-artifact verify” saved in /etc/mender/artifact-verify-key.pem and have it configured in my config file:
$ grep ArtifactVerifyKey /etc/mender/mender.conf
“ArtifactVerifyKey”: “/etc/mender/artifact-verify-key.pem”,

I think the error message is a red herring, I have verified the key length a thousand times and using “strace” I can see that mender-update does not even try to open my public key so we fail before that step:

$ sudo strace -e trace=openat -f mender-update install ./mender-aftifact-x86_64-signed.mender 2>&1 | grep -E ‘mender.conf|artifact-verify-key.pem’
openat(AT_FDCWD, “/var/lib/mender/mender.conf”, O_RDONLY) = 3
openat(AT_FDCWD, “/etc/mender/mender.conf”, O_RDONLY) = 3

I have tried installing using hosted Mender and locally as described above and both fail with the same error message. Worth noting is that hosted Mender accept the artifact I upload (I messed it up earlier and then it complained and refused the uploaded artifact).

Versions used:

On the build machine:
$ mender-artifact --version
mender-artifact version 4.2.0
On the install target:
$ mender-update --version
5.0.3

Edit: Added printed manifest from the signed mender file (replaced my actual name and versions with “mender-artifact-x86_64”). What I wanted to show was that it says “Signature: signed and verified correctly”

$ mender-artifact read mender-artifact-x86_64-signed.mender --print-manifest -k /tmp/bogus-public-key.pem
Reading Artifact.......................... - 100 %
Mender Artifact:
  Name: mender-artifact-x86_64
  Format: mender
  Version: 3
  Signature: signed and verified correctly
  Compatible devices: [mender-artifact-x86_64]
  Provides group:
  Depends on one of artifact(s): []
  Depends on one of group(s): []
  State scripts: []

Updates:
  - Type: rootfs-image
    Provides:
      rootfs-image.checksum: f4c3b6029124a385b4aff53b9b6b910187662b4ecd8e8b24464ab6ac46fbc013
      rootfs-image.version: mender-artifact-x86_64
    Depends: {}
    Clears Provides: [artifact_group, rootfs_image_checksum, rootfs-image.*]
    Metadata: {}
    Files:
      - checksum: f4c3b6029124a385b4aff53b9b6b910187662b4ecd8e8b24464ab6ac46fbc013
        modified: 2026-02-05 10:13:43 +0000 UTC
        name: rootfs.img
        size: 16106127360

If someone have any clue on what is causing this error it would make me very happy, thank you in advance.

Best regards,
Thomas

Topic		Replies	Views
Mender artifact signing issue - no key for verification provided General Discussions mender-artifact , signature-artifacts	2	314	November 14, 2023
Issue with Mender Artifact signature when using Docker Update Module General Discussions	5	765	September 24, 2019
Issue with key verification using Directory Update Module General Discussions	25	1736	June 28, 2019
Problem with the signature of medner-artifact General Discussions signature-artifacts	4	700	September 23, 2019
Firmware deployment failed due to failed signature verification General Discussions yocto , morty , deployment	5	1268	October 19, 2021

Failed to verify the manifest signature: The predicted (387) and the actual (384) length differ

Related topics